Cloudy With a Chance of SSL | TechSNAP 195

Cloudy With a Chance of SSL | TechSNAP 195

We go inside the epic takedown of SpamHaus, then we break down why CloudFlare’s Flexible SSL is the opposite of security.

Followed by a great batch of questions, our answers & much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Krebs covers the arrest of one of the attackers in the SpamHaus attack, but digs even deeper

  • “A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare”
  • In late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers.
  • When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network, taking it down as well.
  • The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”
  • Both of these were wrong, the attack was no larger than others seen every day on the internet
  • The only clever part of the DDoS was attacking the, supposed to be unpublished and unreachable, IP address of the route server at the London Internet Exchange (LINX)
  • A response from the CTO of nLayer/GTT (major backbone providers)
  • TechSNAP Episode 104 – We tear down the hype around this attack
  • The Krebs article also digs much deeper into the story, covering StopHaus, the group that ordered the attack, uncovering who is behind it
  • “this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good”
  • The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).
  • Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”
  • Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”
  • “Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.”

Why CloudFlare’s Flexible SSL is the opposite of security

  • “Flexible SSL makes it easy to create a secure connection and have it mean nothing. Do you need a trusted certificate for your latest phishing scheme? Just host it regularly on your insecure server and set it up on Cloudflare: that padlock might just seal the deal to the distracted user”
  • The issue is that, to buy real SSL certificates, costs money for each domain
  • But setting up 100s of sites and using Flexibile SSL costs much less
  • “I’m not giving the reader a brilliant criminal idea, I’m sure this is rather obvious to any serious cybercriminal that creates those realistic website copies and the appealing emails that lead people to them – they have been trying to emulate the security features of real websites, but setting up trusted SSL has been a challenge. Now SSL is within their reach, even without the minimum knowledge on how to configure SSL servers.”
  • “It subverts the idea of a secure channel, because it is not secure by any reasonable definition, given the data is transmitted in the clear at some point through the public internet; the idea of authentication, given you no longer are interacting with the websites’ actual servers; and the idea of trust, since thousands of bogus certificates emitted this way will not ensure users’ security, leading me to distrust the trust model of the entire Web. That’s pretty severe right there.”
  • “I’m all for the proliferation of SSL, and security is indeed too difficult for the average webmaster to figure out. This means, unfortunately, that some websites that ask for your private data send it in the clear. Certainly SSL for everybody is much better?
    I’d argue that not really. Not only does it empower anyone to create malicious websites (see above) but it empowers people who don’t know security to do it badly. And by making Flexible SSL available, the easiest and default option is just that.“
  • Do you trust Cloudflare entirely? — Enabling Universal SSL gives your users a sense of security: that the data they are sending is protected from the preying eyes of attackers. Remember though, in this setup, Cloudflare has access to the entire data stream in cleartext, thus your transmission is only as secure as Cloudflare’s infrastructure: one zero-day exploit is all it takes to read traffic of potentially millions of websites with a single attack (this means it could take more than one attack, but certainly not proportional to the number of websites affected, in the sense that a single Cloudflare endpoint mediates traffic to multiple websites).
  • Full SSL allows you to use an untrusted certificate between your server and CloudFlare, then CloudFlare uses a real certificate between them and your users, but they can still snoop on everything
  • Sure, Cloudflare may be in a better position than you are to combat a zero day, but what about combating the government?
  • So, while CloudFlare touts itself as providing SSL for everyone, we are left questioning if that is actually a good thing. Should people that don’t understand how SSL works really be hosting sites using SSL, leaving them and their users trusting that things are secure when they likely aren’t, and trusting CloudFlare doesn’t seem like the best idea


Round Up:

Question? Comments? Contact us here!